ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Baostock Skill

v1.0.0

Query Chinese A-share market data using BaoStock. Use when user asks for stock quotes, historical K-line, fundamentals, or market analysis. Supports real-tim...

0· 57·0 current·0 all-time
by@liyico
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md and scripts claim to run a local CLI (baostock) or the included Python CLI (scripts/baostock_cli.py), but index.ts calls a hard-coded absolute path (/Users/nico/.openclaw/workspace/skills/baostock-skill/baostock) that is not part of the bundle. skill.json's main/scripts entries reference non-existent files (scripts/baostock_interface.py, scripts/query_stock.py), indicating inconsistent packaging and leftover developer paths. These mismatches are not proportional to the stated purpose and suggest sloppy packaging or misconfiguration.
!
Instruction Scope
SKILL.md suggests invoking a CLI; the included Python CLI looks reasonable. However, index.ts builds a shell command by concatenating unsanitized input into an exec() call (args like --symbol ${symbol} are inserted without escaping). This permits command injection if symbol/type/etc. contain shell metacharacters. index.ts also invokes an executable at an absolute path rather than the included script, which could execute an attacker-controlled binary if that path is created. skill.json grants read/write to ~/.openclaw/workspace/** which could expand the scope of what the skill can access.
Install Mechanism
There is no install spec (instruction-only), which is low risk in principle. The SKILL.md asks users to pip install baostock/pandas. No remote downloads or archive extraction are present in the package. However, the package metadata lists dependencies and requirements and references missing files, indicating packaging errors that should be resolved before trusting the skill.
!
Credentials
The skill requests no environment variables, which is appropriate. But skill.json requests broad file-system permissions (read/write on ~/.openclaw/workspace/**). Given the hard-coded developer path and exec usage, those permissions are disproportionate and could allow the skill to read or modify unrelated workspace files or caches. The code itself doesn't require secrets, but the broad file permissions increase risk.
Persistence & Privilege
The skill does not set always:true and does not request elevated platform privileges. That is appropriate. However, skill.json's declared file-system permissions provide a persistent capability to read/write the OpenClaw workspace; combined with the exec and path issues this is noteworthy but not an automatic privilege escalation.
Scan Findings in Context
[no_pre_scan_findings] expected: Static pre-scan reported no regex hits. That doesn't mean the package is safe — the manual review found multiple logical/integration issues and a command-injection vulnerability in index.ts.
What to consider before installing
Do not install or enable this skill yet. The package contains several inconsistencies and a concrete risk: index.ts runs a shell command by concatenating user-supplied arguments into child_process.exec and calls a hard-coded developer path (/Users/nico/...), which can lead to command injection or execution of an unexpected binary. Before installing, ask the maintainer to: 1) fix skill.json to point to existing entry points and remove stale developer paths; 2) make index.ts invoke the included Python script (scripts/baostock_cli.py) or use a safe child_process.spawn with an args array (no shell concatenation) and proper escaping; 3) narrow file-system permissions (avoid broad read/write to ~/.openclaw/workspace/** unless strictly needed); 4) provide an install spec or clear instructions that match the actual files; and 5) re-run a security review. If you must test, run it in an isolated environment (VM or container) and do not grant it access to sensitive workspaces or credentials.
index.ts:32
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d0f8z4vhah0gc9z73e5z2c583n2q1localvk97d0f8z4vhah0gc9z73e5z2c583n2q1

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments